Duolingo, Inc.

On January 24, 2023, data scraped from Duolingo's platform was first offered for sale. This data was later broadly distributed on a hacking forum in August 2023, affecting approximately 2.7 million records. The breach occurred due to the enumeration of a vulnerable API, which allowed unauthorized access to user information.

The exposed data includes email addresses, names, spoken languages, and usernames. While some of this information, such as usernames and spoken languages, may be publicly visible on the platform, the exposure of private email addresses linked to these profiles creates a privacy risk. This combination of data can be used for targeted phishing attacks or other forms of social engineering, as it allows malicious actors to connect personal contact information with specific user activity on Duolingo.

Users whose data was exposed should immediately change their Duolingo password. It is critical to use a strong, unique password that has not been used on any other online service. If the same password was used for other accounts, those passwords should also be changed.

Monitor email inboxes for suspicious messages. Be cautious of any emails claiming to be from Duolingo or other services that request personal information, login credentials, or direct you to unfamiliar websites. These could be phishing attempts using the exposed data to appear legitimate. Enable multi-factor authentication (MFA) on your Duolingo account and any other online services that offer it, as this adds an extra layer of security beyond just a password.

Regularly review account activity on Duolingo for any unauthorized changes or usage. Additionally, be vigilant for any unusual activity across your other online accounts, as the exposed email address could be used to attempt access to other services where you might have reused credentials or where password reset attempts could be initiated.